Re: Restricting user -> database access.

On Tue, 21 Aug 2001, Tom Lane wrote:

> See "sameuser" option in pg_hba.conf.

I have. See below.

> > hostssl bobsdb a.b.c.d 255.255.255.255 crypt
>
> > This works fine, asks for a password, connects the user, and
> > then they can "\c otherdb" without any problem.
>
> The above line does not allow connections to ANY database other than
> bobsdb. If anyone can connect to anything else at all, it's because
> you have additional pg_hba lines that you're not showing us.

Before that, I have:

local all crypt
host all 127.0.0.1 255.255.255.255 crypt

The above lines should not allow ANYONE access, without a
password, correct? That's all I have above said lines.

In response to "you have additional pg_hba lines that you're
not showing us", that's all I have. Honestly.

> > hostssl bobsdb a.b.c.d 255.255.255.255 ident sameuser
>
> "sameuser" in the database column (column 2) was what I was talking
> about. "sameuser" as an ident argument is a different concept
> altogether.

OK. I accept that. While I appreciate your help profusely, you
still haven't said what I'm doing wrong.

As a test, I've configured pg_hba.conf as follows:

local all crypt
host all 127.0.0.1 255.255.255.255 crypt

hostssl balmer a.b.c.d 255.255.255.255 ident sameuser
hostssl ertz a.b.c.d 255.255.255.255 ident sameuser

host all 127.0.0.1 255.255.255.255 crypt

As user 'balmer' from the client machine, I can connect to
the 'balmer' database. Yay. :) And now, as balmer, I can
"\c ertz" and connect to the ertz database. Not so good. :(

I can do this, whether the authentication is ident or crypt.
Doesn't matter - once I've authenticated as a user, "\c" works.

Where am I going wrong?

Benny

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You see, we're leveraging the synergies of our existing open source
solution, without reliance on a single vendor.
Or in english: We use samba cause NT sucks ass.
--greg(at)rage(dot)net